diff options
author | Tim Burke <tim.burke@gmail.com> | 2017-12-05 21:52:51 +0000 |
---|---|---|
committer | Matthew Oliver <matt@oliver.net.au> | 2022-04-22 20:43:01 +1000 |
commit | 118cf2ba8af97dbbd78271126e22cb80f18f9adc (patch) | |
tree | ed9f524b597721bf6e82d507d5a5a2334e918af1 /etc | |
parent | b621a6f932edcda1cdba02534e382b962e759f9e (diff) | |
download | swift-118cf2ba8af97dbbd78271126e22cb80f18f9adc.tar.gz |
tempurl: Deprecate sha1 signatures
We've known this would eventually be necessary for a while [1], and
way back in 2017 we started seeing SHA-1 collisions [2].
[1] https://www.schneier.com/blog/archives/2012/10/when_will_we_se.html
[2] https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html
UpgradeImpact:
==============
"sha1" has been removed from the default set of `allowed_digests` in the
tempurl middleware config. If your cluster still has clients requiring
the use of SHA-1,
- explicitly configure `allowed_digests` to include "sha1" and
- encourage your clients to move to more-secure algorithms.
Depends-On: https://review.opendev.org/c/openstack/tempest/+/832771
Change-Id: I6e6fa76671c860191a2ce921cb6caddc859b1066
Related-Change: Ia9dd1a91cc3c9c946f5f029cdefc9e66bcf01046
Closes-Bug: #1733634
Diffstat (limited to 'etc')
-rw-r--r-- | etc/proxy-server.conf-sample | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample index ef49c430f..63f53dc53 100644 --- a/etc/proxy-server.conf-sample +++ b/etc/proxy-server.conf-sample @@ -944,7 +944,7 @@ use = egg:swift#tempurl # # The digest algorithm(s) supported for generating signatures; # whitespace-delimited. -# allowed_digests = sha1 sha256 sha512 +# allowed_digests = sha256 sha512 # Note: Put formpost just before your auth filter(s) in the pipeline [filter:formpost] |